Now that you understand some of the basics of authentication and access, take a look at an example that uses some of the ideas discussed in this chapter. This example uses the network shown in Figure 3-4 to illustrate the configuration of the router called Skunk. In this example, there are two administrative machines: 192.168.3.10 and 192.168.3.11. Example 3-19 displays the configuration.
The two username commands at the beginning of the configuration use MD5 encryption to protect the passwords for the admin1 and techie1 accounts. Admin1 is given level 15 access, and techie1 is given only level 7 access. Notice that the privilege commands below this allow techie1 to execute show and debug commands and the shutdown command on an interface.
Router(config)# username admin1 privilege 15 secret geekyadmin Router(config)# username techie1 privilege 7 secret underpaidoverworked Router(config)# privilege exec level 7 show Router(config)# privilege exec level 7 debug Router(config)# privilege exec level 7 configure Router(config)# privilege configure level 7 interface Router(config)# privilege interface level 7 shutdown Router(config)# line console 0 Router(config-line)# login local Router(config-line)# exit Router(config)# line aux 0 Router(config-line)# login local Router(config-line)# exec-timeout 5 0 Router(config-line)# exit Router(config)# access-list 1 permit 192.168.3.10 Router(config)# access-list 1 permit 192.168.3.11 Router(config)# line vty 0 4 Router(config-line)# access-class 1 in Router(config-line)# login local Router(config-line)# transport input ssh Router(config-line)# transport output ssh Router(config-line)# exec-timeout 5 0 Router(config-line)# exit Router(config)# hostname Skunk Skunk(config)# ip domain-name quizware.com Skunk(config)# crypto key generate rsa The name for the keys will be: Skunk.quizware.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] 00:02:25: %SSH-5-ENABLED: SSH 1.5 has been enabled Skunk(config)# no ip http server Skunk(config)# no ip http server-secure Skunk(config)# no snmp-server Skunk(config)# service password-encryption Skunk(config)# banner motd $ THIS, THE DEAL GROUP, INC., COMPUTING SYSTEM IS FOR AUTHORIZED OFFICIAL USE ONLY. Unauthorized use or use for other than official THE DEAL GROUP, INC. business is a violation of State and Federal LAW Individuals using this computing system are subject to having all of their activities on this system monitored and recorded without further notice. Auditing of users may include keystroke monitoring. Any individual who uses this system expressly consents to such monitoring and is advised that information about their use of the system may be provided to State and Federal law enforcement or other authorities if evidence of criminal or other unauthorized activity is found. $ Skunk(config)# do copy running-config startup-config
Below the last privilege command, I have set up authentication for the console, auxiliary, and VTY lines to use the local authentication database (login local). For both the auxiliary and VTY lines, I have limited their idle timeout to 5 minutes; for the VTY lines, I have restricted Telnet (and SSH) access to only the two administrative PCs. I also have restricted VTY access to SSH with the transport line commands.
Below this begins the configuration to allow SSH access, which gives the two administrators encrypted access to the Skunk router. Notice that you first must assign the router a name (hostname) and a domain name (ip domain-name). Next, you must generate your encryption keys with the crypto key generate rsa command. Even though ACLs are discussed later in the book, make sure that you set up an ACL that allows SSH (TCP 22) but denies Telnet (TCP 23) to the router.
Below the SSH configuration, I have disabled specific services: HTTP, HTTPS, and SNMP. Even though all the passwords I have used (username secret) are encrypted by MD5, I am providing an additional layer of protection by using the service password-encryption command for any other later passwords that I enter that are not encrypted. Finally, I set up a login banner using the banner motd command and saved the configuration.
As you can see, this example is simple and straightforward. However, as you will see throughout the rest of this book, you need to configure many more things on your router, especially a perimeter router, to make it more secure.